On Mon, Aug 14, 2017 at 11:27:00AM +0200, Nicolas George wrote:
Hi. I have been using LUKS to encrypt part of my system, with a rather unusual setup, and I would like to ask for advice on making it more standard without sacrificing my requirements. My requirements are: - Protect me from casual invasions of my privacy in case the computer were stolen. - Being able to unlock the system remotely through SSH. - Minimize the duration of the second-longest interval between required manual operation during boot. Which translate in practice by: minimize the time between the first interaction I must have with Linux and the moment I have an usable session. - Minimize the number of keystrokes required during boot. The second point requires an explanation. Like many people, in the morning I switch on this computer with the following sequence: start the boot, go take care of physiological needs, finish the boot. During the longest part of the boot, I am somewhere else, hence my focus on the second longest part. Since the duration of the POST is incompressible, the longest part of the boot is usually the time between pressing the power button and the first interaction required by Linux.
It sounds to me, then, that you'd like the system to be unencrypted, but your home to be encrypted. You want to look into PAM, which I'm sure can do this. With PAM, the system would come up and all the system daemons would start. Towards the end of that (or perhaps earlier, depending on the dependencies), login methods (getty / x-display-manager / sshd / etc) would become available. You'd log in on one of those and PAM would ensure that your home is decrypted as part of the session start-up. A quick google suggests that pam_mount is your friend here. I *think* that pam_mount should be able to mount other directories (as well as home), so if you have a media partition that you'd like mounted, that can be done.
-- For more information, please reread.
Attachment:
signature.asc
Description: PGP signature